Privacy Policy
Last updated: 29 March 2026
At Dopa Digital Ltd. ("we", "us", "our"), your privacy is fundamental to how we build our product. This policy explains what personal data the dopa application ("the app") collects, how we use it, how we protect it, and your rights under applicable data protection law including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data controller
Dopa Digital Ltd., registered in England and Wales, is the data controller responsible for your personal data. You can contact us at hello@dopadigital.org.
What data we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Step count (via Apple HealthKit) | To determine whether your daily step goal has been met and to unlock your selected apps. Aggregated daily step totals are stored on our servers to enable profile statistics and challenge leaderboards. | Consent (HealthKit permission prompt) |
| Screen Time selections (via Apple FamilyControls) | To manage which apps are restricted on your device until your goal is met. These selections are processed entirely on your device by Apple's framework and are never transmitted to our servers. | Consent (Screen Time permission prompt) |
| Account identifier and authentication metadata | An anonymous account is created on first launch to enable cloud features. You may optionally link this to your Apple ID via Sign in with Apple for data backup and cross-device sync. Firebase Authentication automatically collects technical metadata such as your IP address, device type, and browser or app user agent for security and fraud prevention purposes. | Legitimate interest (providing the service and preventing fraud); consent (Sign in with Apple) |
| Profile information | Display name, username, and optional profile photo that you choose to provide. Used within the app's social features. | Consent (you provide this voluntarily) |
| Social data | Friend connections, friend requests, moments (photos and captions), comments on moments, and stars (likes) you give to other users' moments. Visible to your friends or, if you choose, to all dopa users. | Consent (you initiate social interactions) |
| Streak and goal data | Your current streak count, total days completed, and daily step goal. Stored in the cloud to persist across sessions and enable challenges with friends. | Legitimate interest (providing the service) |
| Subscription status | Whether you hold an active dopa+ subscription. Managed entirely by Apple via StoreKit; we receive confirmation of active entitlements (not payment details) and store this status locally on your device only. | Contract (subscription agreement) |
| Email address (waitlist) | If you join our waitlist via the website, we collect your email to notify you about launch and updates. Waitlist submissions are processed using Google Apps Script, a Google service, meaning your email address is transmitted to and stored on Google infrastructure. | Consent |
Health data
dopa reads your step count from Apple HealthKit. This data is used to determine whether your daily goal has been met and to unlock your selected apps. Aggregated step data (such as daily totals, total lifetime steps, and streak counts) may be stored on our servers to power features like your profile stats and challenges with friends. We do not store continuous or time-stamped HealthKit samples on our servers. We do not transmit step data to third parties beyond our infrastructure provider (Firebase) or use health data for advertising or analytics. Your step count data is processed in accordance with Apple's HealthKit guidelines.
How and where your data is stored
dopa uses Google Firebase as its backend infrastructure. The following data is stored on Firebase servers:
- Firebase Authentication — your anonymous account identifier, Apple ID credentials if you choose to sign in, and technical metadata automatically collected by Firebase (such as IP address and device information) for security purposes.
- Cloud Firestore — your user profile, friend connections, friend requests, moments (including comments and stars), challenge participation records (including step counts), and streak data.
- Firebase Storage — profile photos and moment images you upload.
Firebase services are operated by Google and data is processed within the infrastructure described in Firebase's privacy documentation. Data may be processed in data centres located outside the United Kingdom. Where this occurs, appropriate safeguards are in place, including standard contractual clauses approved by the UK Information Commissioner's Office (ICO).
Certain data is also stored locally on your device, including your step goal preference, Screen Time app selections, streak reminder settings, subscription status, and cached profile images. This data remains on your device and is not transmitted externally.
What we do not do
- We do not sell your personal data to third parties.
- We do not share your data with advertisers.
- We do not track your location.
- We do not collect data about which apps you use or how often you use them. Screen Time selections are processed entirely on your device by Apple's framework.
- We do not use your data for profiling or automated decision-making.
- We do not use tracking technologies or advertising identifiers.
Data sharing
We share your data only in the following limited circumstances:
- With other dopa users — your display name, username, profile photo, moments, and comments are visible to your friends (or to all dopa users if you set moments to public). If you participate in challenges, your step counts and daily progress are visible to other participants via the challenge leaderboard.
- Firebase (Google) — as our backend infrastructure provider, as described above.
- Apple — HealthKit, Screen Time, Sign in with Apple, and in-app purchase services are governed by Apple's privacy policies.
- Google Apps Script — if you join our waitlist via the website, your email address is processed using Google Apps Script and stored on Google infrastructure.
- Legal requirements — we may disclose data if required to do so by law or in response to a valid legal request from a public authority.
Data retention
We retain your data for as long as your account exists and the app is in use. If you delete your account or request data deletion, we will remove your personal data from our servers within 30 days, except where we are required by law to retain it for longer.
Anonymous accounts that have been inactive for more than 12 months may be automatically deleted along with their associated data.
Your rights
Under UK data protection law, you have the following rights:
- Access — you can request a copy of the personal data we hold about you.
- Rectification — you can ask us to correct inaccurate data.
- Erasure — you can ask us to delete your data ("right to be forgotten").
- Restriction — you can ask us to restrict processing of your data in certain circumstances.
- Portability — you can request your data in a portable format.
- Objection — you can object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, you can withdraw it at any time. Revoking HealthKit or Screen Time permissions in your device settings will immediately stop the app from accessing that data.
To exercise any of these rights, contact us at hello@dopadigital.org. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Children's privacy
dopa is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that data promptly.
Third-party services
dopa integrates with the following third-party services, each governed by their own privacy policies:
- Apple HealthKit — for reading step count data.
- Apple Screen Time (FamilyControls) — for managing app restrictions.
- Sign in with Apple — for optional account authentication.
- Google Firebase — for authentication, database, and file storage.
- Apple StoreKit — for managing in-app subscriptions.
Security
We take reasonable technical and organisational measures to protect your data, including encrypted connections (TLS) for all data in transit, Firebase security rules restricting database access to authorised users, and secure token-based authentication. However, no system is completely secure, and we cannot guarantee absolute security.
Changes to this policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. If we make significant changes to how we handle your data, we will make reasonable efforts to notify you through the app or via email.
Contact
If you have questions about this privacy policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us at hello@dopadigital.org.
Dopa Digital Ltd. is registered in England and Wales.